Feed aggregator

Los Angeles Utility Accused of Cybersecurity Coverup

Info Security - Tue, 03/10/2020 - 16:21
Los Angeles Utility Accused of Cybersecurity Coverup

The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city's mayor.

The allegations were made by Ardent Cyber Solutions LLC, a company hired by the Department of Water and Power (DWP) in April 2019 to perform cybersecurity work.

In a 10-page claim filed against the city earlier this year, Ardent states that it uncovered an "extremely high number of unpatched vulnerabilities" in the company's "corporate IT network." 

According to Ardent, DWP board president Mel Levine and DWP’s senior executives were informed of the security issues by email on August 12, 2019. But rather than address the issues, Levine, the DWP, and city officials made “false statements and failed to disclose material facts” in a bid to cover them up.

In the claim, Ardent states that city officials and DWP staff "acted to conceal these facts from federal and state regulators, bond rating agencies, purchasers of municipal securities issued by the LADWP and the public at large."

It is further alleged that Los Angeles mayor Eric Garcetti personally ordered the cancellation of Ardent's DWP contract on August 12, 2019, as a “retaliatory measure” after the company alerted officials to the utility's cybersecurity problems. 

The claim, submitted January 10, accuses the city and DWP of breaching the contract with Ardent and failing to pay the cybersecurity company over $3m in fees.  

DWP spokesman Joe Ramallo said the utility “strongly disagrees” with Ardent’s allegations. According to Ramallo, Ardent's contract was axed due to “concern over their continued involvement in critical cyber issues.” 

Ramallo said giving any further details could hurt any investigation into the claim.

“We want to assure our customers and stakeholders that cybersecurity is of the utmost importance to DWP,” Ramallo said. 

“And the appropriate steps have been taken to ensure that our cybersecurity is compliant with all applicable laws and security standards.”

The DWP headquarters were raided by the FBI in August last year as part of a probe into the city's handling of litigation that sprung from the bungled rollout of a new DWP billing system. No one was arrested or charged in connection with the raid.

Categories: Cyber Risk News

Phishers Use Fake HIV Test Results as Bait

Info Security - Tue, 03/10/2020 - 15:12
Phishers Use Fake HIV Test Results as Bait

Cybersecurity researchers have uncovered a new phishing campaign that uses fake HIV test results to lure victims into clicking a malicious link.

The morally bereft campaign has been detected targeting insurance, healthcare, and pharmaceutical companies around the world.

In the latest incarnation of the scam, researchers at Proofpoint observed cybercriminals impersonating Vanderbilt University Medical Center and sending out fake HIV test result emails. 

Recipients were encouraged to open malicious content embedded into the message, which triggered the installation of Koadic RAT. Once installed, the malware can take complete control of a user's system, running programs on the infected device and accessing victims’ data, including sensitive personal and financial information.

The control it gives attackers has made Koadic popular among many threat groups in recent years, particularly those thought to be state sponsored by the People's Republic of China, the Russian Federation, and Iran.  

Though criminally accomplished, the attackers in this instance made a schoolboy error in putting together the text of their egregious email, misspelling Vanderbilt as "Vanderbit." 

Proofpoint researchers wrote: "This latest campaign serves as a reminder that health-related lures didn’t start and won’t stop with the recent Coronavirus-themed lures we observed. They are a constant tactic as attackers recognize the utility of the health-related 'scare factor.'"

Researchers advised members of the public to think before they click and to take into account that healthcare professionals are highly unlikely to send sensitive information such as the results of an HIV test over email.

"We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information," stated researchers.

"Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in person."

Proofpoint said that the best way to avoid falling victim to phishing scams that pretend to grant access to genuine medical test results is to establish an alternative method for receiving results from your doctor. 

They said: "If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results."

Categories: Cyber Risk News

Google Play Protect IDs Just a Third of Malicious Apps

Info Security - Tue, 03/10/2020 - 11:45
Google Play Protect IDs Just a Third of Malicious Apps

Google’s Play Protect anti-malware tool is bottom of the league when compared to its main rivals, according to the latest findings from AV-Test.

The independent testing body found that the Google tool, which is built-in to newer Android devices, was able to detect only around a third of malware, allowing thousands through. AV-Test argued that users should install an alternative third-party AV tool to ensure robust threat protection.

AV-Test ran 17 Android security applications through a three-part test, covering protection, performance and usability.

In the first part, the app is required to identify 6700 malicious apps; the second part covers processor and battery load and the third checks for any false alarms that security tools may raise on innocuous apps.

Seven vendors managed the maximum score of 18: Trend Micro, Avira, SK Telekom, NortonLifeLock, Kaspersky, G Data and Bitdefender.

Google Play Protect came in last place with just six points, awarded solely for its performance. It scored zero for protection and usability.

AV-Test tried two protection methodologies: evaluating whether security vendors could detect 3300 totally new malicious apps, discovered just two-24 hours previously, and 3300 dangerous but previously known pieces of malware.

Several vendors scored 100% on both: Antiy, Bitdefender, Cheetah Mobile, NortonLifeLock, Trend Micro and Kaspersky.

However, Google Play Protect managed just 37% and 33%. To put this in perspective, the next ‘worst’ performing was AVG with nearly 99%.

“As the detection rates of Google Play Protect are really quite poor, the use of a good security app is highly recommended,” noted the report.

“The range of apps tested offers a wide selection of reliable and battery-friendly security apps. The apps with the maximum point score of 18 are all paid apps with annual license fees, but that ought to be worthwhile to users in exchange for their security.”

The Google security tool was introduced to the market nearly three years ago.

Categories: Cyber Risk News

Human Error Linked to 60% of Security Breaches

Info Security - Tue, 03/10/2020 - 10:30
Human Error Linked to 60% of Security Breaches

Three-fifths (60%) of UK businesses have experienced a cyber-attack and/or data breach caused by human error, knocking them out of action for days, according to new research from Gallagher.

The global insurance company polled 1000 UK business leaders to find out more about their exposure to cyber-risk.

It revealed that as many as 3.5 million UK companies may have suffered losses because of human error. Data loss and downtime were both flagged as potentially serious consequences of a cyber-attack.

Nearly a third (30%) said their business was knocked out for four to five days, while a similar number claimed the organization was disrupted for up to three days.

In 14% of incidents, customer data was stolen, potentially exposing these organizations to the risk of data protection fines.

On the plus side, business leaders are prioritizing steps to mitigate the insider threat: 71% said they worry about human error increasing cyber-risk and 64% claimed they regularly remind staff about such risks.

A further fifth (42%) have invested in off-the-shelf packages and 39% in customized tools to help protect their business. Yet just 39% claimed to have sought external advice on how to manage cyber-risk effectively.

This is important as the threat landscape continues to evolve and cyber-criminals are becoming increasingly adept at tricking employees into doing their bidding, according to Tom Draper, head of cyber at Gallagher.

“However, by businesses taking a comprehensive, multi-layered approach to cybersecurity – including ensuring they have the appropriate insurance in place – establishing effective training programs for employees, and implementing technologies that secure the most sensitive data, they can save both money and resources in the long run, while also helping to mitigate the potential threat of an attack,” he concluded.

According to new data from the Ponemon Institute, the volume of insider cybersecurity incidents has risen 47% since 2018, while costs have soared 31% over the same period to reach $11.5m on average per incident.

Categories: Cyber Risk News

Ryuk Ransomware Takes Out Durham, North Carolina

Info Security - Tue, 03/10/2020 - 09:34
Ryuk Ransomware Takes Out Durham, North Carolina

The North Carolina city of Durham has become the latest US municipality struck by ransomware after reports suggested the Ryuk variant forced key services offline.

In an update on Sunday, the local authority claimed that both the City of Durham and Durham County Government are now in the “recovery process” after being hit by the attack on Friday.

Although emergency calls, 911 and “critical public safety systems” were operational throughout, the incident forced the city to shut down its phone system to contain the attack.

“There are phone disruptions to other city facilities and services, such as Durham One Call’s phone line at 919-560-1200, Durham Parks and Recreation centers, City Hall, etc,” it explained.

However, the municipality’s website and app were not affected, and therefore able to deal with residents’ bill payments and other services.

According to local reports, the Ryuk ransomware arrived in a phishing email sent to a city employee.

Aleksander Gorkowienko, managing consultant at Spirent SecurityLabs, argued that organizations need a combination of employee education and technology controls to mitigate the phishing threat.

“Attackers are clever and opportunistic and, by trial and error, they are continuously searching for methods which statistically give them the highest probability of success with the lowest effort. Here we have good evidence that old methods still work well,” he added.

“The lesson for the future is that organizations should balance their efforts between investing in the newest technological security solutions and education of their personnel. “

Cesar Cerrudo, CTO of IOActive, argued that it’s time for local governments in the US to wake up to the ransomware threat.

“City systems are less protected than private sector systems, so it's no surprise that cyber-criminals target them as easier and juicier targets to ensure they keep profiting,” he claimed.

“Cities need to start investing more on cybersecurity in general, including education, threat assessment, monitoring, prevention, etc. in order to have well established plans for quick reaction and recovery from cyber-attacks.”

Categories: Cyber Risk News

University of Kentucky Defeats Month-Long Cyber-Attack

Info Security - Mon, 03/09/2020 - 17:20
University of Kentucky Defeats Month-Long Cyber-Attack

The University of Kentucky (UK) has fought off a month-long cyber-attack that impacted UK Healthcare and caused a system-wide slowdown.

According to UK officials, the disruption was caused by cryptocurrency mining malware installed by threat actors on the UK network in February. The malware caused daily interruptions to everyday functions and triggered temporary failures of UK's computer system.

Disruptions were chiefly felt at UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, Kentucky. Together, the hospitals serve more than 2 million patients. 

An investigation into the attack has found no evidence to suggest that patient or student data was compromised.  

University spokesperson Jay Blanton said: "Understanding that our review is ongoing, and based on the consultation of outside experts, we have no evidence to date that any personal health information or other sensitive data, such as personal student or employee data, has been downloaded or accessed."

Eric Monday, UK’s executive vice president for finance and administration, said the attack appeared to have originated from outside the United States. He expressed the view that the attack had been carried out in an attempt to hijack the “vast processing capabilities” of the UK network to mine cryptocurrency. 

Following the attack, the university hired an independent computer forensic firm to help improve cybersecurity and installed CrowdStrike security software as a preventative measure against future threats. UK is believed to have spent more than $1.5m on ejecting the malware from its network and improving cybersecurity.

A major 3-hour reboot of the university's IT systems, carried out without the students' knowledge yesterday morning, is believed to have finally removed the lingering malware threat. 

In a message sent out to the university's campus community on Monday morning, Blanton said: "A significant step in this procedure involved a short, planned network outage that took place earlier this morning, which we communicated overnight. Per the advice of our cybersecurity partners, it was necessary to limit the information provided in this initial communication. Now that the network has been restored and more aggressive security measures have been implemented, we can communicate with full transparency without risk of sacrificing the security of our systems." 

Categories: Cyber Risk News

Cybersecurity Conferences Postponed and Canceled Over #Coronavirus Fears

Info Security - Mon, 03/09/2020 - 16:05
Cybersecurity Conferences Postponed and Canceled Over #Coronavirus Fears

The global pandemic of Coronavirus, and the concerns of people traveling and gathering indoors at large events, has hit the cybersecurity events calendar with events now being canceled.

Initially Mobile World Congress was canceled, after being due to take place in late February, with a statement claiming that this was due to “the global concern regarding the coronavirus outbreak, travel concerns and other circumstances,” whilst San Francisco’s RSA Conference did go ahead despite exhibitors including IBM, Verizon and AT&T dropping out.

Meanwhile, this week’s IAPP Data Protection Intensive has also been postponed. IAPP President and CEO J. Trevor Hughes said in an email that the event has been postponed “in light of the growing concerns over the spread of the COVID-19 virus in the UK and increasing numbers of speakers, sponsors and delegates unable to attend due to corporate travel restrictions.”

He added: “Of course, this was not an easy decision. We realize how much energy, effort and time our speakers, sponsors and delegates put into the planning and preparations for an event like this, but in consideration of the rapidly developing situation, we have made the decision to postpone.”

Also over the weekend, BSides Liverpool announced that its late April event has been postponed. Speaking to Infosecurity, organizer Jenny Radcliffe said that the team were reluctant to cancel, but had to consider that people were not going to travel, the cost involved and said “we cannot gamble with people’s health and sponsorship money.”

Radcliffe did say that there is a plan to reschedule the event at the end of the year, but as for holding an event in April, “the more we looked at it, the more foolish it seemed” to go ahead, and it was “with massive regret” that it has been canceled.

However, a number of conferences have insisted that they are still going ahead. In a statement, the organizers of BSides Dublin, due to be held on March 28, recommended “anyone attending to keep in mind and make decisions based on their personal situation” and said that anyone with cold or flu-like symptoms or those that have visited any of the high risk locations should not attend.  

Meanwhile, Infosecurity Europe organizers Reed Exhibitions said in a statement that “Infosecurity Europe will run as scheduled in Olympia London, June 2-4 2020.”

While following the latest guidance from Public Health England and the World Health Organisation (WHO), Reed Exhibitions wanted “to reassure all participants of Infosecurity Europe that should the UK Government issue any further guidelines, they will be applied to our event and we will continue to update everyone involved on a regular basis. The health and safety of our exhibitors, visitors, partners and staff is our number one priority.”

Categories: Cyber Risk News

Accenture Acquires Context Information Security

Info Security - Mon, 03/09/2020 - 15:46
Accenture Acquires Context Information Security

One of the UK's most recognizable and respected information security service providers has been acquired by Accenture.

Context Information Security was acquired for an undisclosed sum from former parent company Babcock International Group. 

The deal is the latest in a string of cybersecurity acquisitions by Accenture, which agreed to acquire Symantec’s cybersecurity services business in January. Context will strengthen an already considerable portfolio, which includes déjà vu SecurityiDefenseMaglanRedcoreArismore, and FusionX.

In a statement released on Friday, Kelly Bissell, a senior managing director at Accenture, said: "This acquisition is an excellent match for us, combining a group of highly skilled cybersecurity professionals globally while providing differentiated services to clients in the UK market.

"The deal signals continued aggressive growth for Accenture Security and gives us a new branch of talented family members to help clients grow their business with confidence and resilience."

Context Information Security was founded in London in 1998, where it remains headquartered to this day. Over the years, it has expanded to include more than 250 employees, opening offices in Australia, Germany, and the United States. 

The company provides high-end cyber defense, intelligence-driven red team, vulnerability research, and incident response services. Context is perhaps best known for the role it has played in helping government organizations, financial institutions, and other clients respond to the threat of advanced cyber-attacks.

With the acquisition, Context now forms part of Accenture's cyber-defense offerings, strengthening Accenture Security's existing portfolio. 

"Context has a remarkable set of cybersecurity skills, capabilities and reputation in the UK as well as in the international financial services industry to complement the growth we have already driven for more than a decade in this market," said Nick Taylor, UKI lead at Accenture Security.

"We are excited to welcome this talented group of professionals that share a common vision of providing world-class cybersecurity to our clients."

Context Information Security’s chief executive officer, Mark Raeburn, described the deal as a marriage of strategies. 

"Accenture’s industry-focused approach across adversary simulation, red teaming, incident response and more, matches Context’s own strategy. Accenture’s family culture is a great fit for Context," commented Raeburn.

Categories: Cyber Risk News

(ISC)² Membership Grows to Over 150,000

Info Security - Mon, 03/09/2020 - 15:18
(ISC)² Membership Grows to Over 150,000

International cybersecurity organization (ISC)² today announced that its membership has grown to include over 150,000 professionals.

(ISC)² is the world's largest nonprofit association of certified cybersecurity professionals, drawing members from 175 different countries. 

The organization was founded in the United States in 1989 as "The Consortium," with the dream of creating a global information security certification process for professionals. 

CEO of the organization David Shearer said a major focus of today's (ISC)² was attempting to close the gaping global cybersecurity skills gap.

"We're extremely proud of our association's growth over the past 30 years to support the profession and reach this member milestone, however we can't stop now," said Shearer. 

"The cybersecurity workforce still needs to grow by 145% globally in order to close the widening skills gap, and we will continue to maintain our certifications and provide up-to-date training opportunities to help our members keep their skills sharp throughout their careers, so they can overcome the challenges associated with securing critical assets in the public and private sectors and the systems we use in our everyday lives."

One solution to growing the cybersecurity workforce that (ISC)² is actively pursuing is to recruit new talent from other industries.

Shearer said: "Reaching 150,000 members is certainly a milestone worth celebrating, but our focus remains on driving awareness of the cybersecurity profession as a great opportunity for those currently outside the field too.

"We need to introduce and welcome a more diverse group of talented young people to cybersecurity, especially those outside of information technology, who can add different perspectives and problem-solving skills to existing teams. Closing the skills gap will take all of us working together to find solutions."

(ISC)² entered the history books when it became the first information security certifying body to meet the requirements of ANSI/ISO/IEC Standard 17024—the leading global benchmark for certifying professionals.

Today the organization offers several information security certifications recognized as the global standard for excellence, such as the acclaimed Certified Information Systems Security Professional (CISSP) certification and the fast-growing Certified Cloud Security Professional (CCSP) certification.

Categories: Cyber Risk News

WatchGuard Announces Intention to Acquire Panda Security

Info Security - Mon, 03/09/2020 - 14:46
WatchGuard Announces Intention to Acquire Panda Security

WatchGuard Technologies has announced its intention to acquire endpoint security vendor Panda Security.

In a combination of network and endpoint technologies, WatchGuard said that the combined entity will provide centralized management of advanced threat detection and response functionality fueled by AI, behavior profiling techniques and security event correlation.

Prakash Panjwani, CEO of WatchGuard, said that in the short term, the acquisition of Panda Security “makes best-in-class endpoint detection and response, threat hunting, endpoint AV, email security, patching and data compliance and encryption accessible to our customer base through a trusted vendor and their IT solution provider of choice.”

Panjwani said that businesses face an increasingly sophisticated and evolving threat landscape, scarcity of trained security professionals and an increasingly porous perimeter. “As a result, network security, advanced endpoint protection, multi-factor authentication, secure networking and threat detection and response capabilities are consistently ranked as top security investment areas by IT decision-makers and IT solution providers who serve them,” he said.

“By bringing the companies together, we enable our current and future customers and partners to consolidate their fundamental security services under a single brand, backed by the innovation and quality that is a core part of both companies’ DNA.”

The transaction is subject to customary closing conditions, including regulatory approvals, and is expected to close in Q2 2020.

“We are thrilled to merge with WatchGuard because of the new scale and portfolio access it provides to Panda Security customers and partners,” said Juan Santamaria Uriarte, CEO of Panda Security.

“Together, we look forward to building a security platform that bridges the network and user perimeter, with capabilities that are unmatched in the cybersecurity market.”

Categories: Cyber Risk News

SANS: Gender Still Biggest Challenge for Many Women in Cyber

Info Security - Mon, 03/09/2020 - 11:30
SANS: Gender Still Biggest Challenge for Many Women in Cyber

Gender is still the biggest challenge facing many women seeking to progress in their cybersecurity careers, according to Sans Institute.

The new findings released by SANS ahead of International Women’s Day on Sunday came from the first ever Women in Cybersecurity Survey, which was compiled from 488 interviews globally.

Some 35% of respondents, who were all chosen from senior or leadership positions in their respective organizations, said that their gender was the number one challenge to career progression.

That’s despite chronic skills shortages in the industry which now exceed four million positions globally, including 561,000 in North America and 291,000 in Europe. The latter figure is an increase of over 100% in just 12 months.

According to (ISC)2, only around a quarter (24%) of the global cybersecurity workforce is female.

Many respondents to the SANS study credited their rise through the ranks as being down to having varied experience (38%) and pursuing certifications (34%), but more (41%) said it was due simply to being in the right place at the right time.

Disappointingly, a quarter of respondents (25%) said they’d never been mentored, and just 7% had been mentored by another woman.

“Women can have a tremendous amount of impact in their organizations regardless of their title,” says SANS analyst and survey author Heather Mahalik. “Your title and time in the field do not define what you know and the impact you can provide to this community. They do not define your impact or even narrow in on your capabilities — your actions do.”

The good news is that women in senior positions are taking proactive steps to ensure the next generation of colleagues are better supported in the workplace than they were. Just a quarter of respondents said they weren’t involved in mentoring, while over half (57%) claimed they mentor both men and women.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Categories: Cyber Risk News

Former US Inspector General Indicted for Software Theft and Fraud

Info Security - Mon, 03/09/2020 - 10:30
Former US Inspector General Indicted for Software Theft and Fraud

A former US government inspector general has been indicted on charges of software and data theft and an alleged scheme to defraud the government.

Charles Edwards, 59, of Sandy Spring, Maryland, and one of his assistants at the Department of Homeland Security (DHS), Murali Venkata, 54, of Aldie, Virginia, were charged with conspiracy to commit theft of government property and to defraud the United States, theft of government property, wire fraud and aggravated identity theft. Venkata was also charged with destruction of records.

The indictment alleges that, between October 2014 and April 2017, Edwards, Venkata and others plotted to steal proprietary software from the DHS Office of Inspector General (OIG), where Edwards worked from 2011 to 2013.

They’re also accused of scheming to steal government databases containing personal information (PII) on DHS and US Postal Service (USPS) employees. The end goal was for Edwards’s company, Delta Business Solutions, to sell an “enhanced version” of DHS-OIG’s software to the OIG for the Department of Agriculture.

It’s claimed that Venkata and others went to great lengths to help Edwards in this scheme, including by: reconfiguring his laptop so it could upload the stolen software and databases, providing troubleshooting support for Edwards on demand and helping him build a test server at his home with the stolen software and data.

The indictment alleges Edwards even retained a group of software developers in India to work on the project.

This isn’t the first time the former acting inspector general has been in trouble. In 2014, a bipartisan investigation found that he had “jeopardized the independence of the Office of Inspector General and that he abused agency resources.”

He’s said to have rewritten and delayed critical audits at the request of DHS officials and maintained inappropriate personal relationships with staff.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Categories: Cyber Risk News

APT Groups Attack Exchange Servers Via Patched Flaw

Info Security - Mon, 03/09/2020 - 09:38
APT Groups Attack Exchange Servers Via Patched Flaw

Multiple likely state-backed APT groups have been detected exploiting a recently patched Microsoft flaw to target Exchange servers.

The vulnerability in question, CVE-2020-0688, was discovered by an anonymous security researcher and reported to Microsoft via Trend Micro’s Zero Day Initiative (ZDI). It was fixed in the February Patch Tuesday update round, but discovered by Volexity around two weeks later being exploited in the wild.

The flaw is found in the Exchange Control Panel (ECP) component and results from “Exchange Server failing to properly create unique cryptographic keys at the time of installation,” according to the ZDI.

It works on unpatched systems but only if the ECP interface is accessible to the attacker and if they have a working credential to access the ECP.

“In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use. Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password,” explained Volexity.

“This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account. This issue further underscores why changing passwords periodically is a good best practice, regardless of security measures like 2FA.”

So far, the firm has observed attackers exploiting the bug to run systems commands to conduct reconnaissance, deploy a webshell backdoor accessible via OWA, and execute in-memory post-exploitation frameworks.

They have also been trying to brute force their way to exploitation via Exchange Web Services (EWS).

While the need for a compromised credential will put off many low-level black hats, more motivated hackers will certainly present a threat to organizations that have not yet patched, Volexity concluded.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Categories: Cyber Risk News

Fake Tech Support Company Dupes 40K Victims Out of $8m

Info Security - Fri, 03/06/2020 - 19:32
Fake Tech Support Company Dupes 40K Victims Out of $8m

A college drop-out has admitted using malware and a fake tech support company to con 40,000 victims out of millions of dollars.

Former engineering student Amit Chauhan set up a bogus technical support call-center company called Tech Support in January 2019. Together with his accomplice and Jind resident Sumit Kumar, Chauhan ran the center from the upscale Udyog Vihar area of Gurugram, a city just southwest of New Delhi in northern India.

Victims who called up the fake company for technical support were asked to go online and click on a particular pop-up. When they did, malware was activated that stole the victims' financial data.

Chauhan admitted to police that he and Kumar had used the fake company and malicious pop-ups to dupe over 40,000 foreign nationals out of more than Rs 60 crore (over 8 million USD).

The pair's profitable scheme was rumbled after British victim Jim Browning outed their fake operation on YouTube. 

“The victim uploaded a video complaint on YouTube where he described how he was duped by a call center employee after he was sent a pop-up on his laptop and offered technical support to remove glitches,” said Karn Goyal, assistant commissioner of police for Gurugram's Cyber Crime Cell.

“That pop-up was actually a malware sent by the call centre. The accused took handsome amounts from victims through payment gateway in the name of technical support."

Acting on Browning's tip-off, Gurugram's Cyber Crime Cell raided the premises of Tech Support on March 4. A laptop owned by the accused was found to contain names and addresses of victims. 

Under interrogation, Chauhan and Kumar admitted running the fake call-center company since January 2019 as a way to cheat money out of foreigners. 

Chauhan and Kumar have been charged under India's IT Act and are currently being held in police remand while further investigation is carried out into their alleged crimes.

While Chauhan may have kept his allegedly shady business dealings secret, he made no effort to hide his immense wealth. The alleged cyber-criminal lived in Gurugram's luxury Magnolia condominium on Golf Course Road and was known locally for wearing designer clothes and driving around the city in Porches and Jaguar SUVs.

Categories: Cyber Risk News

Disaggregated Scalable Firewall Framework Released

Info Security - Fri, 03/06/2020 - 18:01
Disaggregated Scalable Firewall Framework Released

Three major US companies have joined forces to develop a Disaggregated Scalable Firewall (DSFW) framework.

The collaboration between AT&T, Palo Alto Networks, and Broadcom was announced earlier today as an expansion to the Distributed Disaggregated Chassis (DDC) that was recently contributed to the Open Compute Project (OCP). 

The new DSFW will enable network operators to deploy firewalls as software-based platforms rather than as hardware appliances. The initiative focuses on using AI and machine learning embedded in the network fabric to prevent attacks using actionable events. 

The DSFW expansion will deliver the first dynamically programmable fabric with embedded security functions and services at the edge of the network. The new firewall framework could also pave the way for future Scalable Disaggregated Application Services. 

The trio behind the new framework each brought something unique to the collaboration process. 

Broadcom’s Jericho 2 chip, which was fundamental in the OCP contribution of the DDC, formed an essential part of the DSFW solution. To make the framework happen, Broadcom provided expertise for the J2 functionality, coupled with a new development on the chip to retain Layer 4 session information.

These advances improved the scalability of the solution by ensuring the hardware offload.

“This approach enables pervasive security at terabit scale economically,” said Oozie Parizer, senior director of product marketing, Core Switching Group, Broadcom. 

“Through our close technical collaboration, we have leveraged the extensive capabilities in Jericho 2 and look forward to delivering additional solutions in the very near future, to secure and scale the network infrastructure.”

Palo Alto Networks weighed in with technology that supports security capabilities directly on the network edge, allowing continuous security, automation, and analytics to occur. Their input made it possible for the DSFW to function at scale, even during periods of increased traffic caused by peak demand. 

Michael Satterlee, vice president, Network Infrastructure and Services, AT&T, said the new framework would offer better protection from threats.

"Traditionally, we have had to rely on centralized security platforms or co-located appliances which are either not directly in the path of the network or are not cost effective to meet the scaling requirements of a carrier. We now carry more than 335 petabytes of data traffic on our global network on an average day, with 5G poised to push that number even higher," said Satterlee.

"Securing that cargo using traditional methods just won’t work. This new design embeds security on the fabric of our network edge that allows control, visibility, and advanced threat protection.”

Categories: Cyber Risk News

266,000 Passwords Stolen in Trident Crypto Fund Data Breach

Info Security - Fri, 03/06/2020 - 16:53
266,000 Passwords Stolen in Trident Crypto Fund Data Breach

A major data breach has occurred at Trident Crypto Fund, resulting in the publication of over a quarter of a million customer usernames and passwords online.

According to a report published on March 5, 2020, by Russian media outlet Izvestia, the personal data of 266,000 registered Trident Crypto Fund users was illegally accessed when a database was compromised. 

Data stolen in the attack against the fund is said to have included email addresses, cell phone numbers, encrypted passwords, and IP addresses. 

Ashot Oganesyan, technical director of cybersecurity company DeviceLock, told Izvestia that users' data was posted on a number of file-sharing websites around February 20, 2020. 

According to Oganesyan, the hackers responsible for the attack decrypted and published a dataset of close to 120,000 passwords on March 3. He emphasized that more than 90% of the login/password pairs were unique and had never been found in leaks before.

With this information in hand, hackers could potentially get into users' accounts and access their funds.

Trident Crypto Fund is a crypto-investment index fund that operates out of Dragonara Business Centre in Malta, touting itself as "the first coin-based index fund."

No mention of the data breach has been made on the fund's website or announced via its Telegram group. However, Izvestia contacted an individual whose data was breached in the incident, who confirmed the connection between the leaked data and the Trident Crypto Fund. 

"We work hard to help keep your account secure and protect your personal information," it states on the fund's website.

"We work hard to ensure that the information you share is secure. We investigate any suspected breach of security, including fraud activity."

Oganesyan said that the data breach was notable as being the first such incident to have a major impact on Russian citizens. According to Oganesyan, 10,000 Russian users were affected by the attack on Trident Crypto Fund.

"Apparently, Russian citizens might already have got their data leaked before. However, no one has taken them into account before, and personal data leakage of 10,000 Trident Crypto Fund users can be considered the first major personal data leak of Russian crypto investors,” said Oganesyan.

Categories: Cyber Risk News

Stalkerware Soared 91% in UK Last Year

Info Security - Fri, 03/06/2020 - 11:30
Stalkerware Soared 91% in UK Last Year

Mobile stalkerware detections are rising faster in the UK than globally, according to new stats revealed by Kaspersky ahead of International Women’s Day (IWD).

The security firm claimed the number of users targeted by these malicious surveillance apps jumped 91% from 2018 to 2019, while the global figure was 67%.

Worldwide, the number of victims detected by Kaspersky rose from 40,386 to 67,500 over the period, although this is likely to be just a snapshot of the total.

Stalkerware is a class of malicious software often labelled by nefarious developers as a legitimate way of monitoring teens and children, such as the Monitor Minor tool. However, in reality it is often used by stalkers, domestic abusers and violent ex-partners to threaten and intimidate women.

Kaspersky divides the category into two types of software: trackers, which intercept victims’ text messages and monitor location data, and full-fledged stalkerware, which has extensive spying capabilities.

“They can harvest almost any data on a compromised device: photos (both entire archives and individual pictures, for example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so on,” it explained in a report last month.

“Many apps exploit root privileges to extract messaging history from protected storage in social networking and instant messaging applications. If it cannot gain the required access, the stalkerware can take screenshots, log screen taps and even extract the text of incoming and outgoing messages from the windows of popular services using the Accessibility feature.”

The problem is becoming so acute that a new industry body, the Coalition Against Stalkerware, was launched in November last year by AV vendors and anti-domestic violence groups.

“Together with our partners from the Coalition Against Stalkerware, we want to combine forces and our expertise to work towards putting an end to violence, especially against women, that is enabled by emerging technologies and our ever-connected lifestyles,” argued Christina Jankowski, senior external relations manager at Kaspersky.

“Our goal is to ensure that all those affected receive knowledge to protect themselves against digital stalking, and the support they need if they find themselves victims.”

IWD takes place this year on Sunday March 8.

Categories: Cyber Risk News

One Million Virgin Media Customers at Risk After Data Leak

Info Security - Fri, 03/06/2020 - 10:30
One Million Virgin Media Customers at Risk After Data Leak

Almost one million Virgin Media customers may have had their personal details exposed to hackers after a database was left unsecured online.

The British ISP, owned by US cable group, Liberty Global, informed customers by email this week that the database of 900,000 users was accessible from at least 19 April 2019. Worse still, it admitted “the information has been recently accessed” by an unknown user.

“The database was used to manage information about our existing and potential customers in relation to some of our marketing activities,” continued the notice, which was sent to Infosecurity by a reader.

“This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth.”

However, no passwords or financial details were exposed in the privacy snafu, Virgin Media claimed.

The data trove was misconfigured by staff, exposing it to the public-facing internet for 10 months. Almost all of those affected had Virgin TV or fixed-line telephone accounts, with a few Virgin Mobile customers also included, according to reports.

The company warned customers that “there is a risk you might be targeted for phishing attempts, fraud or nuisance marketing communications.”

Jonathan Compton, a partner at city law firm DMH Stallard, warned that Virgin Media may be facing a major GDPR fine as a result.

“Fines towards the maximum of the applicable [Data Protection Act 2018] are likely. This was a serious breach, over a long period, affecting nearly one million people,” he added.

“The situation is aggravated by the fact that this was not the result of a hack but the result of negligence.”

Categories: Cyber Risk News

T-Mobile Suffers Another Breach as Staff Emails Targeted

Info Security - Fri, 03/06/2020 - 09:25
T-Mobile Suffers Another Breach as Staff Emails Targeted

T-Mobile customers in the US are on alert for phishing attacks once again after the company warned that some account information has been compromised.

In a note published on Wednesday, the carrier claimed that it recently “identified and quickly shut down” a “sophisticated” attack targeting its email vendor.

“Our cybersecurity team recently identified and shut down a malicious attack against our email vendor that led to unauthorized access to certain T-Mobile employee email accounts, some of which contained account information for T-Mobile customers and employees,” it explained.

“An investigation was immediately commenced, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was affected. We immediately reported this matter to federal law enforcement and are actively cooperating in their investigation.”

Although financial information and Social Security numbers are not affected, the stolen data may have included customer names, addresses, phone numbers, account numbers, rate plans, and billing information.

The firm said it’s still in the process of notifying customers and, in the meantime, urged them to reset their account PINs.

Peter Goldstein, CTO of Valimail, argued that compromised customers may be targeted by scammers.

“With access to a plethora of personal data on past and current customers and employees, hackers can potentially trade this data for profit in dark web marketplaces, or use it to commit account takeover, identity theft, or other scams,” he said.

“In fact, phishing campaigns often follow hot on the heels of breaches like this. Leveraging the compromised data, the malicious actor could target customers with extremely convincing phishing emails that appear to come from the breached company in order to harvest more sensitive information from them.”

This is by no means the first incident of its kind the carrier has suffered. The personal details of an estimated two million customers were illegally accessed in 2018, and a similar incident happened a year later to some prepaid customers.

Categories: Cyber Risk News

US DoD Employee Charged with Spying for Lover

Info Security - Thu, 03/05/2020 - 19:07
US DoD Employee Charged with Spying for Lover

A linguist working for the US Department of Defense has been charged with leaking the identities of American spies to a lover with connections to an overseas terrorist organization.

Mariam Taha Thompson, 61, was charged yesterday with transmitting highly sensitive classified national defense information to a Lebanese national connected to Hizballah. 

The Shia Islamist political party and militant group Hizballah has been designated as a foreign terrorist organization by the US secretary of state.

Thompson, formerly of Rochester, Minnesota, allegedly gathered and transmitted data relating to America's "human assets," placing the spies and US military personnel in grave danger. 

She was arrested by FBI special agents on February 27, 2020, at an overseas US military facility, where she worked as a contract linguist and held a Top Secret government security clearance.    

An investigation of audit logs showing Thompson’s network activity on United States Department of Defense classified systems found that the linguist repeatedly accessed classified information that she had no need to access.

It is alleged that over a six-week period between December 30, 2019, and February 10, 2020, Thompson looked at dozens of files concerning human intelligence sources, including true names, personal identification data, background information, and photographs of the human assets, as well as operational cables detailing information the assets provided to the United States government.

Thompson is accused of copying this information onto handwritten notes and passing it to a Lebanese co-conspirator with whom she was romantically involved. She is further accused of providing her lover with information regarding the techniques American spies used to gather information on behalf of the United States.

A handwritten note in Arabic was discovered under Thompson's mattress when her living quarters were searched on February 19. The note contained classified information from Department of Defense computer systems, identifying human assets by name and warning a Department of Defense target who is affiliated with a designated foreign terrorist organization with ties to Hizballah.  

Thompson was charged with delivering defense information to aid a foreign government and conspiring to do so. If convicted, Thompson could spend the rest of her life in jail.

Categories: Cyber Risk News